HTC admits smartphone data vulnerability

Mobile phone manufacturer HTC has admitted that its handsets have a built-in “vulnerability” which could allow customers’ personal data to be leaked.

The company said it is working on a fix for the “massive” security problem, which was claimed to make users’ account details – including email addresses, the users’ latest GPS locations, their SMS data and phone numbers – available to third party apps.

It is not known how many people could be affected but the blog which – along with two security experts – uncovered the issue last weekend said it believed that some HTC Sensation models, as well as the EVO 4G, EVO Shift 4G, EVO 3D and Thunderbolt models are all at risk.

On Saturday, the blog Android Police and security experts Trevor Eckhart and Justin Case published claims that a recent HTC update some of its devices running on the Android operating system installed a feature which collected users’ data and – through the vulnerability they identified – made them available to any third party app requesting access to the internet.

Writing on the blog, Artem Russakovskii said: “It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door.”

Writing after HTC’s fix announcement, Russakovskii raised concerns that the fix would not plug the leak altogether but would simply add a layer of authentification – currently missing – while letting the system “continue to collect the same kind of sensitive data to be potentially reported back to HTC or carriers”. An HTC spokesman was unable to say on Tuesday what form the company’s security patch would take.

An HTC spokesman said that, so far, the company has “not learned of any customers being affected” but said it is “working very diligently to quickly release a security update that will resolve the issue on affected devices”. No release date was given for the fix but a source said on Tuesday that an HTC team has identified a fix and that the company is keen to “sort the problem asap”. When released, the patch will be made available “over-the-air”, but HTC advised customers to take care when “downloading, using, installing and updating applications from untrusted sources”.

HTC explained that its investigation, which is still ongoing, found that the company’s software does not itself leak customers’ data, “there is a vulnerability that could potentially be exploited by a malicious third-party application”. In a statement, the company said: “A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws…[we] would like to prevent it by making sure all customers are aware of this potential vulnerability.

“Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly.”